- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Can a Splunk admin terminate a user session?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can a Splunk admin terminate a user session?
Can a Splunk admin terminate a user session?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
run splunk logout ,it will terminate the current session
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a better way to do this yet via the web console?
We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.
There was noone on staff over Christmas/New Year who could have performed this ssh command.
I would have hoped there should be an easier way?
Apart from restarting Splunk that is.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not possible via the UI, but it can be done. It's a little tricky though:
Find the user's session via a REST endpoint of splunkd:
https://localhost:8089/services/authentication/httpauth-tokens
You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like
https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314
And then kill the session by executing the following command on the splunk server:
splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
this is not accurate, can't find http tokens but user still doing searches.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_audit sourcetype=audittrail action IN ("login attempt" logout)
| table _time host user info reason clientip method session
If you add a filter on the user field you can narrow down to specific account.
- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout
- session: this is the http auth token that other users have already shown how to force delete from the system
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should be implemented in Splunk GUI 🙂
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
